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Prepare and measure quantum key distribution protocols can be decomposed into two basic steps: 
delivery of the signals over a quantum channel and distillation of a secret key from the signal and 
measurement records by classical processing and public communication. Here we formalize the dis- 
tillation process for a general protocol in a purely quantum-mechanical framework and demonstrate 
that it can be viewed as creating an "effective" quantum channel between the legitimate users Alice 
and Bob. The process of secret key generation can then be viewed as entanglement distribution us- 
ing this channel, which enables application of entanglement-based security proofs to essentially any 
prepare and measure protocol. To ensure secrecy of the key, Alice and Bob must be able to estimate 
the channel noise from errors in the key, and we further show how symmetries of the distillation 
process simplify this task. Applying this method, we prove the security of several key distribution 
protocols based on equiangular spherical codes. 



I. INTRODUCTION 

Quantum key distribution (QKD) is currently the most 
successful theoretical and practical application of quan- 
tum information theory to solving a real-world problem 
that classical information theory cannot: secure expan- 
sion of previously held keys between two separated par- 
ties using public channels. In its simplest form, it only 
requires that one party, Alice, prepare and send individ- 
ual quantum systems to the other, Bob, who immediately 
measures them. No collective storage or manipulation of 
the quantum systems is required, making it a very hum- 
ble foray into the quantum world. After the quantum 
communication phase is complete, Alice and Bob have 
classical strings corresponding to the signal and mea- 
surement records, respectively. With the aid of a public 
classical channel and their previously held keys, they can 
then collaborate to distill the new (longer) secret key 
from these strings. 

Ever more sophisticated methods of proving the uncon- 
ditional security of such protocols have recently been de- 
veloped. In particular, strong links have been forged be- 
tween the security of a given protocol and the ability of a 
suitable quantum version to implement entanglement dis- 
tillation. Building on work by Lo and Chau Shor and 
Preskill [2| demonstrated that the classical distillation 
steps of traditional prepare and measure schemes could 
be seen as a version of entanglement distillation by using 
Calderbank-Shor-Steane (CSS) quantum error-correcting 
codes 0. They illustrated this technique by application 
to the prototypical Bennett-Brassard 1984 (BB84) pro- 
tocol |4| , and the analysis of the structurally similar six- 
state protocol 5] followed soon thereafter [(J. By view- 
ing the measurement as a local filtering operation , the 
Bennett 1992 (B92) HEI and "trine" Phoenix-Barnett- 
Chefles 2000/Renes 2004 (PBC00/R04) [HHHGl pro- 
tocols were tackled by essentially orthogonalizing some 



of the measurement outcomes in order to prepare them 
for the CSS-based error correction. 

The main obstacle to formulating such an uncondi- 
tional security proof for general protocols is the concep- 
tual difficulty of reconciling the framework of entangle- 
ment distillation with the requirements proscribed by the 
protocol. How to perform entanglement distillation is 
clear enough; the trick here is to apply it to the cor- 
rect quantum state such that the entire process properly 
mimics the actual prepare and measure protocol. 

Put differently, the problem lies in providing a quan- 
tum description of the so-called "sifting" operation in 
which the signal and measurement records collected dur- 
ing the quantum communication phase are transformed 
into a raw key. The name comes from the BB84 protocol, 
where Alice and Bob keep only those signals and mea- 
surements for which the associated bases used in prepa- 
ration and measurement match, thus sifting the "good" 
bits from the "bad." The use of local filtering, as in the 
analysis of the B92 and trine protocols, is one possible 
quantum description of the sifting, or, more generally, 
decoding, step. However, it implicitly assumes that the 
distillation process requires only one-way communication 
from Alice and Bob. 

In this paper, we develop a general quantum- 
mechanical formulation of the decoding step applicable 
to a broad class of key distribution protocols. This im- 
mediately leads to a general framework for unconditional 
security based on entanglement distillation, which we il- 
lustrate by proving the unconditional security of a sev- 
eral equiangular spherical code protocols. Formalizing 
the decoding step in this manner offers insight into the 
mechanism underlying key distribution protocols. From 
this vantage point we see that the decoding step performs 
two critical tasks. First, the physical quantum chan- 
nel and the decoding process merge into an "effective" 
or logical quantum channel connecting Alice and Bob. 
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This channel describes how the physical signal system is 
transformed into a logical key system. Second, noise in 
the physical quantum channel caused by an eavesdrop- 
per, Eve, will be mapped to noise in the effective chan- 
nel. Only the latter is relevant, as it is related to what 
Eve might know about the key. Moreover, this noise can 
be easily estimated from the error rate observed in the 
decoded key string and can then be used to ensure the 
security of the protocol. 

The remainder of the paper is organized as follows. 
Section[n]lays out the details of the prepare and measure 
schemes under consideration. Section IIIII then presents 
a fully quantum-mechanical formulation of the decoding 
phase. Using this, Sec. El details how the decoding step 
creates an effective quantum channel between Alice and 
Bob within the postselected state space, with simplified 
noise patterns relative to the actual physical channel. 
The resulting formalism then enables us to easily treat 
the question of security for more-complicated and higher- 
dimensional protocols. Section is specifically devoted 
to the security of protocols using equiangular spherical 
codes in two and three dimensions. Finally, Sec. [^con- 
cludes with a discussion of further applications of this 
work and open problems. 



II. PREPARE AND MEASURE PROTOCOLS 

In a generic prepare and measure quantum key distri- 
bution protocol, two separated parties, Alice and Bob, 
wish to make use of an insecure quantum channel and 
a classical public broadcast channel in order to estab- 
lish a shared, secret string. They already share a short 
key with which they can authenticate messages from each 
other sent on the classical channel. The goal is to expand 
this short key into a longer version, suitable for encrypt- 
ing a sizable amount of data. Roughly, their strategy is 
to use the quantum channel to distribute quantum states, 
which can then be translated into a (classical) raw key. 
From this substrate the final key can be distilled with 
the aid of communication over the classical channel. By 
using quantum states, they will be able to quantify the 
effect of Eve's interference so that the appropriate coun- 
termeasures may be taken during the distillation step — 
e.g., privacy amplification. In the worst case, they can 
abort the protocol if they find that Eve's spying on the 
channel is so severe that no secret key can be created. 

These sorts of key distribution protocols can be de- 
composed into two phases: a delivery phase using the 
quantum channel and a distillation phase using the clas- 
sical channel. Alice sends signals to Bob over the quan- 
tum channel in the delivery phase, who immediately 
measures them — hence the term "prepare and measure." 
The signals are drawn from the ensemble of signal let- 
ters iS = {\£j) £ C d }" =1 , where the prior probability for 
each signal is encoded in its squared norm: irj = 
Bob's measurement is described by a positive-operator- 
valued measure (POVM) M = {]%) € C d }^ =l such that 



Hk \Vk)(Vk\ = 1- Without loss of generality both S and 
M. are ensembles of pure states since ensembles of mixed 
states could be further decomposed into them. 

A signal ensemble is termed oblivious when 
12 j = -V^i meaning that a random signal 

on the quantum channel is completely unbiased. In 
contrast, general ensembles are biased, a property 
Eve may be able to exploit. Here we will focus on 
oblivious ensembles with uniform prior probabilities; the 
obliviousness will play a small but important role in the 
next section. 

Given a noiseless quantum channel, the joint probabil- 
ity for Alice to send the jth signal and Bob to obtain the 
fcth outcome is given by the simple rule 

Pjk = \(r)k\Z j )\ 2 . (1) 

Every round yields Alice and Bob one letter each; re- 
peating the protocol generates strings which are samples 
from this joint distribution. These strings are the output 
of phase 1. 

The task of phase 2 is to distill these strings into a 
shared, secret key. This process can be represented by 
a pair of functions, one each for Alice and Bob, which 
map the signal and measurement strings to key strings. 
An ordinary protocol will consist of several rounds of 
mappings, and in each round the purpose of the classi- 
cal communication is to coordinate the application of the 
associated functions. The term "decoding" refers to the 
initial rounds of the distillation process, specifically those 
required to produce a secret key given a noiseless chan- 
nel. Additional distillation steps are required for noisy 
channels — namely, information reconciliation to correct 
mismatched key letters and privacy amplification to en- 
sure secrecy of the resulting key. 

The set of distillation functions is quite large and the 
choices of protocols myriad. For concreteness, we shall 
focus on maps which attempt to distill one key letter 
from each signal-measurement pair by use of one-to-one 
functions. Note that the distillation procedure may, and 
often does, fail for particular inputs. After presenting 
and examining this formalism, we will describe how to 
make generalizations for more complicated strategies. 

Here it is convenient to describe the distillation func- 
tions via their inverses. Suppose that each of Alice's 
and Bob's maps results in a letter drawn from the set 
{0, . . . , r — 1}. Naturally, r < min(n, m). The action of 
one of Alice's maps can be succinctly captured by the r- 
tuple (c(0), . . . , er(r— 1)J, where cr(x) is the input signal 
which led to the key letter x. For example, if Alice draws 
signals from the set {a, 6, c, d, e} and a decoding function 
maps & to and d to 1, the corresponding tuple is sim- 
ply (&, d). The r-tuple thus records which inputs become 
which key letters. Note that in this convention the dis- 
tillation map is cr _1 and all inputs not appearing in the 
r-tuple are discarded. By a slight abuse of notation we 
denote this with the output symbol □; for instance, in 
the previous example a~ 1 (a) = □. Altogether, we shall 
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assume that Alice has n a (inverse) distillation functions 
<7 S , while Bob has functions named r t . 

The set T of allowable function pairs (s, t) fully de- 
scribes each distillation step. Alice and Bob use the clas- 
sical channel to coordinate their actions and determine if 
the applied function pair yields a key letter — legitimate 
function pairs may still fail to produce a key letter for a 
given input. Again there are several options in how to 
accomplish this in practice; here, we adopt a particular 
communication scheme to perform allowable decodings 
without making any claim to its generality. One of the 
parties — say, Alice — initiates the procedure by randomly 
choosing a function s compatible with her signal — i.e., a 
function which does not map the signal to □ — and an- 
nouncing this choice to Bob. He can then infer which of 
his functions ensures that (s,t) G T and then randomly 
apply one of them. 

The BB84 protocol provides the simplest example of 
this framework. M. and S both consist of (appropri- 
ately normalized) linear polarization states, either hori- 
zontal or vertical or inclined at ±45°. Label these states 
{ — , |,/,\}. Only those signals and measurements be- 
longing to the same basis are to be kept, so the possible 
sifting functions for both Alice and Bob are represented 
by the tuples (— , |), (|,— ), (/,\), and (\,/). The set 
T just consists of the same function for each party. To 
perform the decoding, Alice applies either of the two ap- 
plicable functions to each signal and sends a record of 
her action to Bob. This tells him which decoding func- 
tion to use, and if applying it to his measurement result 
does not produce the output □, Bob keeps the output 
and tells Alice. 

Generalizations to more complicated schemes are now 
straightforward. Keeping to single-letter decoding, whole 
sets of signal or measurement letters can be mapped to 
different key letters simply by considering r-tuples whose 
entries are these sets. The modifications to the functions 
for block decoding are self-evident: block inputs and 
block outputs, keeping the reject output □. To illustrate 
the latter, consider a parity-check advantage distillation 
step ^3|. Alice computes the parity of a particular pair 
of letters and transmits this to Bob. If this matches the 
parity of his corresponding pair, they keep the first let- 
ter; otherwise, they discard both. In the present frame- 
work, this is described compactly by the decoding tuples 
(00, 11) and (01, 10), where T consists of the same tuple 
for each party. 

As the distillation process is meant to create not only 
a correlated, but also secret string, we must consider 
the effect of announcing the distillation function publicly, 
which could reveal information to Eve. Chosen properly, 
however, the decoding will leave Eve completely nescient 
of the key. Such is the case in the BB84 protocol, where 
the sifting information tells Eve that the signal was one 
of two possibilities, instead of the four originally possible. 
Due to the structure of T, this information is completely 
independent of the resulting key bit. 

If the public communication leaks no information 



about the key, then Eve's probability for the key must 
be uniform. As a sufficient (but not necessary) condi- 
tion, we can require both that the signals be chosen with 
uniform probability and that, in the multiset formed by 
the union of all of Alice's r-tuples, each signal appears 
the same number n a times. To cover the cases in which 
the information flows from Bob to Alice, we will assume 
that the measurement outcomes each appear the same 
number rib times in his multiset. This includes essen- 
tially every proposed key distribution protocol and, like 
the choice of oblivious signal ensemble, will have some 
advantages in the next section. 

This limits Eve's source of information about the key 
to the quantum channel. The decoding process will turn 
channel noise into key errors, and the number of errors 
in the decoded key will be linked to the amount of in- 
formation Eve could in principle obtain. By measuring 
the error rate, Alice and Bob can tailor the remaining 
distillation steps to suit their needs. For the prepare and 
measure schemes under consideration here, we assume 
that the further processing is independent of the specific 
decoding details. That is to say, after making the de- 
coded key, Alice and Bob forget which key letters were 
the output of which decoding functions. As much is done 
in the BB84 protocol, for example; basis information is 
irrelevant after the sifting phase. This is not a trivial 
step, since by retaining complete information, Alice and 
Bob could possibly find that key letters from certain de- 
codings require different handling than others. However, 
it is not only vastly simpler to consider the average case, 
but also affords considerable simplification of the channel 
noise, as discussed in Sec. IIVI 



III. QUANTUM FORMULATION 

We now give a fully quantum-mechanical description 
for the prepare and measure protocol. In doing so, 
we must retain the essential features of the protocol — 
namely, the type of physical system actually sent and 
the distribution of signals and measurements, given by 
Eq. £[J. Let Alice begin with the state 

|$) = Vd]T \£,*)a\^)b g n phys ® n phys , (2) 

3 

where is simply the complex conjugate of in 
the standard basis. The vector space to which |$) be- 
longs is explicitly given as it will prove useful to keep 
the various spaces clearly distinct. Here "phys" stands 
for "physical," denoting that this is the space which de- 
scribes the actual physical signal sent. One may verify 
that |$) is properly normalized by using the fact that 

Since the signal ensemble is oblivious, Alice can pre- 
pare one of the signals in subsystem B by measuring 
her half with the POVM Moreover, comput- 

ing the expansion coefficients in the standard basis, we 



4 



find (jfc|<£>) = Sjk/Vd, meaning that |<E>) is the canonical 
maximally entangled state in C d £g> C d . 

After distributing subsystem B to Bob, they perform 
the following operations to their respective systems: 



so that the state becomes 



M 



(P®M)|#) 



n 



(3) 



(4) 



The partial isometries P : H p h ys 



M 



H prcp and M 



hvs 

TQ. 



7i mcas realize the Neumark extensions of S and 
In other words, the POVM's on 7i p h ys are pro- 



moted to projection measurements on 7i prep and 7i n 
all the while ensuring that the outcomes are still dis- 
tributed according to Eq. Q . 

Now for the crux of the whole enterprise. By promot- 
ing the POVM elements to projection operators, each 
party's measurement can be easily restructured into two 
parts: a coarse-grained and a fine-grained measurement. 
The coarse measurement is a projection onto a subspace 
spanned by many basis states, while the fine-grained 
measurement then locates the precise basis state in the 
subspace. The crucial point is that the outcome of the 
coarse-grained measurement can be chosen to correspond 
to the distillation function. 

This is accomplished by employing the two operators 



Sa ■ 'H-p 



Ti-a <8> Hkcy and Sb ■ H n 



S * = y^£e^)| S )|0M0l, 

V Tla . 

si 

Sb = -^E ei0(t ' m) l*)l m )(r t (m)|, (5) 



which relabel the 7i prcp and 7i mC as basis states in terms of 
two registers for the coarse- and fine-grained steps. The 
basis states of the vector spaces TC a and Tib label the 
decoding functions, while the vector spaces 7ikcy contain 
the decoded key. This is an equivalent representation 
of the state as long as the operators are partial isome- 
tries (with 7i prop and H mea s as their respective domains). 
Thus, we must check that J2 s i l (J s(0)( (J s(OI = ^j-l and 
Y] tm \T t (m)}(T t (m)\ = nbt, which follows from the earlier 
requirement that Alice's (Bob's) multiset contain each 
signal (measurement) a fixed number of times. 

Finally, the output states can generally acquire the 
arbitrary phases indicated since they will not affect the 
distribution of outcomes. The phases will be important 
in the next section, however. The state now becomes 

v Zm,st 

(6) 

where the first two systems are Alice's and the latter two 
Bob's, and we have used the notation :— and 



\rj[k]) := |r/fe). Within each pair, the first system refers to 
the decoding function and the second to the key letter. 

Now the decoding operation becomes trivial: simply 
restrict the sums over s, t to only refer to proper function 
pairs. For our chosen decoding scheme, Alice and Bob 
need only exchange the results of standard basis mea- 
surements on Ti. a or TL^ in order to accomplish this task. 
Averaging over all the valid function pairs is the final 
step, since Alice and Bob do not condition any of their 
subsequent actions on the particular decoding functions. 

Performing this averaging procedure, one obtains the 
bipartite key state p G 7Ykcy <8 Hkcy = C r <£> C r . In the 
standard basis, its components are given by 



key 



n a nb 



E A ii; M ^[n(i)]|^[^W])(e[^W]|r?[r t (/)]), 



(s,t)6T 



(7) 

where A*'* fcJ = e i[0(s,i)-0( s ,k)] e i[<Kt,i)-0(t.O]. Altogether, 
the decoding procedure defines a map from H p hys® W p hys 
to 7ikey <8> Hkcy, whose nominal goal is to draw out the 
correlated portions of the signal and measurement strings 
and discard the rest by postselection. In quantum terms, 
the decoding procedure increases the entanglement of the 
state relative to its size by simply repackaging the avail- 
able entanglement into a smaller system. (Recall that the 
state Alice originally prepared was maximally entangled, 
which changed when applying the P and M operations.) 
When the resulting system is highly entangled, security 
can be assured. 



IV. EFFECTIVE CHANNELS 

Now we turn to the operation of the protocol in the 
presence of noise. In principle, we must assume that 
all noise is due to Eve spying on the quantum channel. 
Beyond the nominal goal of concentrating entanglement , 
the decoding phase plays a pivotal role in the protocol 
by creating an effective channel between Alice and Bob 
whose parameters they can easily estimate. Knowledge 
of these parameters then allows them run the classicized 
CSS procedure to distill the final key. 

Essentially, the averaging procedure induced by dis- 
regarding which key letters came from which decoding 
functions does all the work. For the moment, let us sup- 
pose that Eve tampers with each signal individually, per- 
forming some joint unitary operation on the signal and 
any number of ancillary systems she may care to use. For 
a completely general security proof we must also consider 
the case in which she attacks blocks of signals, which we 
return to at the end of this section. The change to the 
signal system itself can be described by the superopera- 
tor £ — J2 P Ep © Ep ■ Here the E p are Kraus operators 
or operation elements [I4j . Following this channel action 
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with the decoding map SaP ® SbM yields 



key 
l J ij-kl — 



1 



7l Q 7l 6 



53 A&MT t m\Ep\t[°.®]) 



p,(a,t)eT 

x(^[a s (k)]\ElHr t (l)])- 



(8) 



[Remember that Eq. (JJJ describes the key in the absence 
of channel noise.] 

The symmetries of the set T will now help to reduce 
the form of £ . Consider the automorphism groups G for 
S and H for M., consisting of unitary operators U g and 
Vh which map the respective sets onto themselves, up to a 
global phase factor for each state. This phase factor may 
depend on the pair of distillation functions a s and r t as 
well. Formally, we have U g \£j) — e M ( 9 ' s '-'- ) |£ 9 (j)) for some 
(real-valued) function a, where g(j) is used to denote the 
permutation action of G on S. Similarly for the measure- 



ment states, Vh\f]k) 



if3(h,t,k) 



Vh(k)} f° r some function 



(3. These operators can be applied to the r-tuple speci- 
fying the destination function a s , resulting in the action 



(MO)), . . . , |a s (r-l)» -A (t/> s (0)>, . . . , U g \a s (v-1))) . 

(9) 

Similarly, one obtains an action on the r-tuples of r* using 

The symmetry group we are after is the subgroup of 
G x H which preserves the set T: unitary operators which 
map pairs of r-tuples in T to other pairs in T.|22j Call 
this group Aut(T)*; it is a subgroup of the full automor- 
phism group of T. In the BB84 protocol, for instance, 
the r-tuples can be transformed into one another by a 
45° rotation: 



(I -) 

T 

(\,/) 



(/,\) 
I 

(- I). 



(10) 



Additionally, the ordering in each pair can be separately 
reversed by suitable reflections. Altogether this produces 
a symmetry group with eight elements. 

Using Aut(T)* allows us to shift the sum over T in 
Eq. iJSJ to a sum over the group elements, replacing each 
particular (s,t) by (g(x), h(y)) for some fiducial pair 
(x,y). If the group Aut(T)* is transitive, then the en- 
tire sum can be rewritten in this manner. In case the 
orbit visits pairs multiple times, which is equivalent to 
the existence of a stabilizer subgroup of Aut(T) acting 
trivially on the fiducial pair, several copies of the sum 
are generated which can be fixed by renormalizing. On 
the other hand, if the group is not transitive, then many 
fiducial pairs will be required so that their orbits com- 
pletely cover T. 

We are interested in the representation of Aut(T)* by 
operators of the form U g <g)Vh, which is is generally projec- 
tive since phase factors make no difference to the quan- 
tum state. For the same reason, the decoding functions 
are also susceptible to rephasing. To keep matters un- 
der control, we can put the latter phases to work against 



the former by setting 9(s,j) = a.{g, x,j) for s — g{x) and 
4>(t, k) = (3(h, y, k) for t = h{y). In the case that Aut(T)* 
is transitive, the simplified density matrix elements are 



key _ ij;kl 



E 



(v[ry(j)]\V^E p U g \^[a x (t)]) 

p,(g,h)eAut(T)* 

x(a<J x (k)]\UlElV h Hr y (l)})- (11) 

Thus, the symmetry of the decoding map induces an ef- 
fective channel between Alice and Bob, described by the 
symmetrized superoperator 

£ sym = £ v£E p U g QU*4v h . (12) 

p,( ff ,ft)eAut(T)» 

This symmetry reduces Eve's possible interference with 
the effective channel. To determine the possible forms of 
£ sym , first express it as the output of a symmetrization 
super-superoperator 1Z: 

£ sym = £ (V£ QV h )oEo{U g QUl)=Tl{£}. (13) 
(g,h) 

Appendix A details a method of using tensor products to 
represent superoperators by means of the isomorphism 
A B — > B T (g) A, which we can use to represent Eve's 
effective action as 



sym 



v^e;u;®vIe p u 9 



(g,h) V p ) 

= Y.^®^£{U* g ®V g ). (14) 

This reduces the symmetrization action to a superop- 
erator itself, and we can iterate the process to write it 
directly as K ~ £( ff)/l )(^ ® Uj) ® (V? ® VjJ). K is 
Hermitian, which follows from the fact that the terms in 
the sum are group elements and each element is paired 
with its conjugate, avoiding difficulty with the projec- 
tive representation. Group composition implies that 1Z 
is idempotent, up to a constant of proportionality. Thus 
all possible effective channel superoperators belong to the 
trivial eigenspace: 7?.[£ sym ] = £ sy m, a drastic reduction in 
the possible forms of Eve's tampering. 

The expression for the bipartite key state can be fur- 
ther simplified using the # operation also defined in Ap- 
pendix A. Letting S% = £ fe e ie( - x '^\k){C W x (k)]\ (note 

the conjugated state) and S y B = Efe e#(2/,fc) l fc )( 7 ?[ T !y( fc )]| J 
direct calculation leads to the simple expression 

Ptl = {Sl®S B )(l®£ sym m AB {n){S A ®S B )\ (15) 

where, again, the state |$) from Eq. J2J is maximally en- 
tangled. Instead of averaging over the different decoding 
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possibilities, now only the "fiducial" decoding is applied, 
but to the output of a suitably averaged channel. The 
end result of this analysis is to identify and delineate the 
two tasks performed by the decoding: The fiducial decod- 
ing operators S\ and S y B characterize the entanglement- 
enhancing abilities, while the effective channel operator 
£sym encapsulates the noise simplifications. 

In case Aut(T)* is not transitive, we need only make a 
small modification to the above procedure. The set T is 
partitioned into disjoint orbits, and instead of choosing 
one fiducial decoding (x,y), we will need one from each 
orbit in order to cover all of T. The final key state then 
contains contributions from every orbit. For the security 
analysis, we relax the condition that Alice and Bob throw 
away information regarding which decoding was used and 
instead treat these terms separately. Each orbit then 
gives rise to an effective channel superoperator, and we 
will take the worst case. 

This concludes the fully quantum-mechanical formula- 
tion of the decoding portion of the protocol. The further 
steps of information reconciliation and privacy amplifica- 
tion can be given a quantum formulation as a CSS-based 
entanglement distillation procedure |l5l Il6[ , which is ap- 
plied to the output of the effective channel. Distillation 
of maximally entangled states then assures the privacy of 
the key. Given the channel parameters, the rate bounds 
of the CSS codes (along with the probability of successful 
decoding) determine the key generation rate of the QKD 
protocol. The CSS codes bring their own symmetries to 
the procedure as well, digitizing the effective channel into 
a Pauli channel. 

The relevant noise probabilities of the effective channel 
are given by overlaps with the various generalized Bell 
states: 



b jk = (Mp kcy \M 



(16) 



For qubit-based keys, the states \/3jk) are the four Bell 
states; in general, they are the complete set of maximally 
entangled states generated by the action of generalized 
Pauli operators X° Z on half the canonical maximally 
entangled state. Unfortunately, Alice and Bob do not 
have independent access to all these noise probabilities. 
Instead, they can only obtain an estimate of the error 
probability of the decoded keys by directly comparing 
some small fraction of them. This probability e is the 
sum of contributions from all generalized Pauli operators 
which are not purely of Z-type — i.e., 



d-l d-l 

j=Q fc=l 



(17) 



The goal is to determine the bjk as functions of the error 
rate e or, failing that, at least find upper bounds. Then, 
given the Pauli channel, bounds on the rate of random 
hashing can be used to infer the secure error-rate thresh- 
old of the key distribution protocol 01 • 

The preceding applies when Eve performs a collective 
attack, interacting with signals independently and iden- 
tically. However, to establish unconditional security of 



the protocol, we must consider the most general attack, 
called a coherent attack, in which Eve coherently ma- 
nipulates all of the signals. By a slight modification of 
the protocol we may ensure that if the protocol is secure 
against collective attacks, then it is also secure against 
coherent attacks. 

The modification requires Alice and Bob to randomly 
reorder their signal and measurement data. This ensures 
that the error rate found by sampling some of the re- 
sulting key bits is representative of the error rate in the 
unsampled key. This gives them direct estimates of some 
of the noise probabilities, and for those which are not 
directly sampled, Azuma's inquality ensures that if a re- 
lation such as bjk < /jfe(e) holds for every key letter, then 
the frequencies observed in a long sequence also obey this 
constraint [l2L Il8j . Since the efficacy of random hashing 
depends on these frequencies, arbitrary correlations be- 
tween signals pose no additional difficulties |T(| . 

One loose end remains to be tied up. In the simpli- 
fied expression for the key, Eq. I|15fl . some phase freedom 
remains in the operators S x and S v . These phases can 
make a difference in the secure error threshold of the pro- 
tocol even though they have no influence on the distribu- 
tion of signal and measurement data. Though seemingly 
improper at first glance, this effect is due to an inherent 
flexibility Alice and Bob have in constructing the CSS- 
based entanglement purification scheme. In canonical 
form, the CSS code is built from eigenspaces of products 
of the operators X = £\ + and Z = Efe w?£ | fc )( fc l» 
where u> = e 27 < l / d . However, Alice and Bob only ever ac- 
tually measure in the standard Z basis, meaning they 
are free to alter the X operator in any manner consistent 
with the stabilizer formalism. In particular, they can 
equally well substitute X = Y^j e 1 ^ \j + 1) (j\ for X with- 
out changing the crucial relationship ZX = 10XZ. The 
altered Pauli operators give rise to a rephased variant of 
the maximally entangled states, 



\(3 jk ) = l®X j Z k \$) = -^yy exp 



m=0 



OIK?) 

(18) 

For instance, in the case of two two-level systems, the 
general set of maximally entangled states reads 1 00) ± 
|ll),e^°|01) ± e^llO). Thus, altering the phases ap- 
pearing in S x and S v can indeed change the distribution 
of noise bjk without affecting the distribution of signals 
and measurements pjk- 



V. SECURITY OF SPHERICAL CODE QKD 
PROTOCOLS IN SMALL DIMENSION 

The preceding gives a general method for establishing 
the unconditional security of protocols exhibiting a high 
degree of symmetry. One needs (merely) to find the rel- 
evant automorphism groups and then straightforwardly 
compute the bjk distribution to determine the secure er- 
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ror threshold for any given protocol. To demonstrate this 
technique, we turn our attention to quantum key distri- 
bution protocols employing equiangular spherical code 
signal states in low dimensions. 



A. Qubit tetrahedron 

In the tetrahedral protocol of [Tl|, Alice's signal qubits 
are given by four states whose Bloch vectors form a regu- 
lar tetrahedron. Bob's measurement states correspond to 
the inverse (in the sense of the Bloch sphere) of this tetra- 
hedron, so that each of his outcomes rules out one poten- 
tial signal. Alice decodes two of the states into a logical 
bit and announces which ones to Bob. If his measurement 
rules out one of the possibilities, he can determine the 
bit; the whole procedure succeeds with probability one- 
third in the absence of noise. Alice's decoding functions 
are equivalent to ordered pairs of signal states, of which 
there are 12. Since Bob's successful decoding function 
is completely specified by Alice's, 12 possible decoding 
combinations exist in total and only one-way communi- 
cation from Alice to Bob is required. The automorphism 
group corresponds to A4, the alternating group on four 
elements, and can be projectively represented on C 2 for 
both parties using the following two generators: 



1 

1 



1 
71 



1 -i 
1 i 



(19) 



This group representation corresponds to using the tetra- 
hedron generated from the fiducial state (v3 + -\/3j 0) + 
V3-\/3e 47r / 4 |l))/V6 for the signals. 

From the automorphism group it is easy to calculate 
the trivial eigenspace of 1Z, which is in this case spanned 
by only two superoperators. By appropriate use of the # 
operation, the output of the channel for maximally en- 
tangled input can be expressed as a linear combination of 
the identity operator and the maximally entangled state 
again — i.e., the depolarizing channel. Next, a fiducial de- 
coding consisting of restriction to the fiducial signal state 
and its image under the first generator a x can be ap- 
plied and the error probabilities of the resulting state 
can be tabulated. In terms of the depolarization rate 
p, they are given by &01 = ^11 = 2&io = p/(2 + p) and 
600 = 1 — froi — ^10 — bu, where all phases appearing in 
the fiducial decoding operators were set to zero. Finally, 
we can apply the random hashing bound on the number 
of distillable maximally entangled states S(p) from an 
input state p with diagonal entries in the Bell basis given 
by bjk- S(p) > 1 — H({bjk}), where H is the Shannon 
entropy. From this one obtains a threshold depolariza- 
tion rate of approximately 16.69%, corresponding to an 
error rate e — 3p/(4 + 2p) of approximately 11.56%. 



B. Qutrit spherical code protocols 

For qutrits — three-level quantum systems — there are 
four possible equiangular spherical code signal ensembles 
Alice could choose from, with n =4, 6, 7, and 9 elements, 
respectively. A myriad of protocols exist using these as 
signals, but here we confine our attention to those for 
which Bob's measurement outcomes are orthogonal to 
two signal states and the goal of the decoding step is to 
establish one bit. The latter requirement means that the 
decoding functions have support on only two signals at a 
time, or in other words, Alice informs Bob that the signal 
sent is one of only two possibilities. The set T consists of 
function pairs corresponding to the cases in which Bob's 
measurement outcome and Alice's announcement allow 
him to determine which signal she sent. Since the raw key 
alphabet consists of just two letters, Alice and Bob can 
make use of qubit CSS codes to perform error-correction 
and privacy amplification. 

The technique of having Bob's measurement repudi- 
ate some of Alice's signals was introduced briefly in [ljj . 
Letting IL, = we can formulate the measurement 

as 



\V],k}(VjM oc 1 



n, 



n fc -{n j5 n fc } 



1 - Trpj-Hfe] 



(20) 



Since for spherical codes the denominator does not de- 
pend on j and fc, the set of projectors can easily be found 
to sum to the identity operator. 

For each protocol we attempt to find Aut(T)* and from 
this extract the possible outputs of the corresponding ef- 
fective channel for each orbit in T; Aut(T)* is nontran- 
sitive for all these protocols. Then the phases of the 
canonical decoding operators must be judiciously chosen 
to find the best secure error threshold. In the first three 
protocols n = 4,6,7 it is necessary to give up on ran- 
dom hashing directly and retreat to finding a CSS code 
which can correct the bit and phase errors independently, 
for there are too many parameters to determine the rela- 
tionships between the various Pauli errors exactly. This 
strategy was also used in the security analysis of the trine 
protocol (l2|. When n = 9 the effective channel is again 
a depolarizing channel and therefore the better technique 
of random hashing can be used. 

Table [I] shows the threshold error rates and sufficient 
threshold fidelities for these protocols, whose details are 
laid out in Appendix B. One might expect a trend to 
higher tolerable error rates and minimal fidelities with in- 
creasing number of signals, but the seven-element spher- 
ical code breaks rank, requiring the cleanest channel. A 
quick check of the appendix reveals the reason: there 
are 1050 possible decoding combinations, but the largest 
known automorphism group has only 42 elements, yield- 
ing 25 distinct orbits. Thus, a fairly large mismatch ex- 
ists between the symmetry of the decoding combinations 
and those realized by action on the signals, which sim- 
ply does not restrict the channel as much as in the other 
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Spherical code protocol 



Threshold error rate 



Sufficient threshold fidelity 



[4,2,2,1] 

[4,3,2,2] 
[6,3,2,2] 
[7,3,2,2] 
[9,3,2,2] 



11.56% 

8.90% 
11.00% 
10.37% 
11.80% 



0.917 

0.881 
0.844 
0.916 
0.843 



TABLE I: Threshold error rates and fidelities for the qubit tetrahedron protocol and the four spherical-code-based key distri- 
bution protocols in three dimensions. The protocols are named according to the convention [n, d, k, m] where n is the number 
of signals, d is the dimension of the associated vector space, k is the number of possible remaining signals after Alice announces 
the decoding information (i.e.,fc is the size of the key alphabet), and m is the number of signals which are ruled out by Bob's 
measurement. The threshold error rate is the maximum secure error rate of the key, while the sufficient threshold fidelity is a 
upper bound on the corresponding fidelity of the output state of the symmetrized channel with the maximally entangled input. 
Fidelities beyond this limit are sufficient for key creation. 



cases. However, it should be noted that the full automor- 
phism group might be larger. 



APPENDIX A: SUPEROPERATOR 
REPRESENTATIONS 



VI. DISCUSSION AND CONCLUSION 

By treating the decoding step of prepare and mea- 
sure protocols quantum mechanically, we have presented 
a general formalization which enables the application of 
the entanglement-distillation proof technique to a broad 
class of key distribution protocols. Additionally, we gain 
insight into the general role decoding plays in quantum 
key distribution. On the one hand, the symmetries of the 
signal and measurement states are found to play a clear 
and direct role in security proofs. Applying this machin- 
ery to the symmetries of various equiangular spherical 
codes in two and three dimensions yielded the secure er- 
ror threshold for the associated protocols. On the other 
hand, treating the decoding step in more detail reveals 
the mechanism by which Alice and Bob are able to esti- 
mate the various noise parameters: The decoding step 
creates an "effective" quantum channel between Alice 
and Bob, whose noise properties they can more easily es- 
timate than those of the physical channel. The decoding 
creates a sort of logical communication layer embedded 
within the physical layer of actual signals. With this for- 
mulation in place, we can now begin to consider more 
complicated decoding strategies: two-way communica- 
tion, block-wise and set-wise decoding, as well as more 
general "imperfect" protocols whose decoding schemes 
which produce nonmaximally entangled states. 



In expressing superoperators, one convention is to 
use "0" as a placeholder for the input operator — i.e., 
(A C)[B] = ABC. However, this makes representa- 
tions cumbersome. Instead one would like to express the 
superoperator as a matrix and the input operator as a 
vector. This is easily done, albeit in two distinct ways. 
First, note that we can flatten the operator B into a vec- 
tor by applying it to half of a maximally entangled state, 
like so: B^(1®B)|$). This action is called the VEC 
map. The action of (A C) on B then becomes multi- 
plication of VEC(S) by the operator C T A. Another 
matrix representation of superoperators can be obtained 
by applying the superoperator to half of a maximally en- 
tangled state. This furnishes a representation similar to 
the way VEC produces a vector from an operator, so 
the map is termed OP. Here one finds immediately that 
(l ® (4 C)[$])^.. fc; = ajiCki, which is related to the 

C T A representation by simply interchanging the first 
and last indices i and I. This "partial transposition" can 
be denoted by as in 



[OP(A0C)L W = [(C T ®Ay 



J ij;kl 



(Al) 



A more detailed account of this superoperator sleight of 
hand can be found in 1201 . 
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APPENDIX B: QUTRIT SECURITY DETAILS 

In this appendix we list the ingredients which are re- 
quired to complete the security proof for the qutrit spher- 
ical code protocols, including the signal states, the auto- 
morphism group, and the phases of the decoding opera- 
tors. 
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1. [4,3,2,2] 

Beginning with the vector A= (|0) + |1) + |2)), four 
equiangular states labeled 0, 1, 2, 3 can be generated from 
it by application of the operators 

/ 1 o o\ / o o -1 \ / -1 o\ 

0-1, 010, -100, 

v o -1 o / \-i o o / \ o oiy 

in this order. These operators also generate the auto- 
morphism group, which is a representation of 64. Take 
the fiducial decoding (0,1) for Alice and ({1, 2}, {0, 3}) 
for Bob, where the two sets identify the states ruled out 
by his measurement. Then Alice's phases can both be 
set to zero, while Bob must choose them to have a dif- 
ference of 7r. From this it follows that e p h aS c < febit, 
which then leads to 8.90% by the CSS rate bound 
1 — ^(ebit) — ^2(e p haso)- Here hi is the binary Shan- 
non entropy. This also holds when we consider three 
other decodings for Bob: ({1, 3}, {0, 2}), ({1, 2}, {0, 2}), 
({1, 3}, {0, 3}). Under the group action these four fiducial 
decodings cover all of the 48 possibilities. 

2. [6,3,2,2] 

First let be the golden ratio (1 -I- \/5)/2. Then start- 
ing with (v / 0|1) + a/0 — 1|2))/5 1 / 4 , six equiangular vectors 
are generated by the group formed from the first two of 
the following: 

^0 l\ /ioo\ / 1-0 1 \ 
100, 010,-1-0 1 

\o 1 0/ \o -1 J \ 1 1-0/ 

(B2) 

Adding the final operator gives the full automorphism 
group, which is a projective representation of A§. One 
can then derive that e p hasc < ebit- 



3. [7,3,2,2] 

Letting 77 = exp[27ri/7], the seven-element spherical 
code in three dimensions can be generated by repeated 
application of the first of the operators 

??oo\ / o 1 o \ 

if , 1 (B3) 
rf J \1 00/ 

to the vector t^(|0) + |1) + |2)). The second stabilizes 
the starting vector, along with the antiunitary operation 
of complex conjugation in the standard basis. Altogether 
this yields a group of order 42, using which one derives 

that e p hase < g e bit- 

4. [9,3,2,2] 

Let uj — e 2 "/ 3 . Forming the nine element group from 
the first two of the generators 











(1 







1 





;• 





UJ 


: 





1 




V0 





uj 2 



( 1 \ x ( 1 uj 2 uj 2 \ 

uj 2 , -= 1 1 uj , (B4) 
\0 uj 2 J V6 \lujl) 

and applying them to the fiducial vector (|1) — |2))/\/2 
generates the SICPOVM. The latter two generators sta- 
bilize the fiducial vector and enlarge the automorphism 
group to consist of 216 elements which are isomorphic 
to the Shephard-Todd reflection group number 25 mod- 
ulo its center |2l|. This group gives rise to a depolar- 
izing effective channel, and the various errors are found 
to obey the relations 61,0 = 26o,i(6 — V3)/15 and 61,1 = 
26 M (6 + V3)/15. 
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